Cybercriminals have a variety of tools and techniques in their bag of tricks. In order to go about their business undetected though, their tools are constantly changing. It seems once the good guys figure out how to defend against one type of attack, they’ve already moved on to the next type. This year, fileless malware (also called non-malware) is making headlines as one of the latest up-and-coming infection techniques.
Why is it so popular? Because traditional defense technologies – like antivirus (AV) and signature-based intrusion detection / protection systems (IDS / IPS) – can’t detect it. This presents a huge opportunity for hackers, and they will exploit this weakness for as long as they can.
All is not lost. It’s entirely possible to detect a fileless malware attack. You just need to know what to look for. Let’s take a closer look to help you understand what you’re facing and what can be done.
What is Fileless Malware?
Fileless malware is not really fileless, it just isn't an executable file (.exe). When you are compromised using this technique, there is no malicious program sitting on your PC. It operates by using legitimate programs, typically PowerShell, for malicious purposes. PowerShell is a popular task-based command-line shell and scripting language. It’s used to rapidly automate the administration of multiple operating systems and the processes related to the applications that run on those operating systems.
A malicious encoded script can be decoded by PowerShell, and then reach out to a command and control server without writing any files to the local hard drive. According to TechRepublic, “Without a payload file to infect a system, antivirus software applications can't generate a signature definition based on the malware file's characteristics. This poses a problem, as the application simply does not know what to look for.”
How to Detect Fileless Malware
To be successful, all malware, including fileless, must persist. Hackers need their malware to survive a reboot, so they can stay in the system undetected as long as possible and maximize their reward, whether it’s personal information, credit card numbers, or company secrets.
Being able to detect this persistence mechanism is the key to detecting the presence of fileless malware on your Windows endpoints.
There are many different ways malware can persist on a Windows device. The most common are:
- Scheduling tasks,
- Installing as a service, and
- Using the run key.
But there are more than 50 different places that malware can hide, including:
- Logon (Startup Menu, Microsoft Active Setup),
- Explorer (Context Menu Handlers, Drag/Drop Handlers),
- Internet Explorer (Browser Helpers, Extensions),
- Drivers, Codecs, Boot Execute, Image Hijacks, AppInit DLLs, WinLogon, WinSock Providers, Print Monitors, LSA Providers, Network Providers, Sidebar Gadgets, and more!
Using threat hunting techniques, analysts can find and analyze all unique or suspicious persistence mechanisms on a device. Then using context and the latest threat intelligence, determine whether a fileless malware attack was successfully deployed. Learn more about threat hunting in, An Introduction to Cyber Threat Hunting.
Get alerted of fileless malware in minutes. Combining the human contextual analysis of nDiscovery with the real-time capabilities of nAlert, nPoint, the Windows Endpoint Analysis add-on to an nDiscovery subscription, delivers highly accurate malware detection across your entire Windows environment. You will know whether or not you are infected and exactly what to do about it, without any time or effort on your part, and within minutes of infection.